SEA servers under threat from China’s Terracotta army: RSA
By Benjamin Cher April 26, 2016
- About a dozen cyber exploitation campaigns launched through VPN service
- Servers in Singapore, Malaysia, and Indonesia were compromised as well
RSA Research has discovered a commercial virtual private network (VPN), originating in China, which hacks into inadequately protected Windows servers – including those in South-East Asia – and ‘enlists’ them as server nodes to launch cyber-attacks.
The US-based cybersecurity company has named the VPN ‘Terracotta,’ saying it is being used to anonymise and obfuscate various groups’ threat activity.
VPN services give users secure and private Internet connections, bypassing server restrictions. The Terracotta hack uses the ‘brute-force’ method of a trial-and-error attack on the default administrator (admin) user account.
It can then enlist the server in under a minute after gaining entry, according to Kent Backman, threat intelligence analyst at RSA FirstWatch Threat Research.
“More than half of the servers we found and confirmed as having been compromised by Terracotta were virtual servers, and many of those were hosted externally of the leasing organisation’s corporate networks,” he told Digital News Asia (DNA) via email.
Such externally hosted virtual servers generally rank lower on the cybersecurity priority scale, as the value pegged to them is a lot less, according to Backman.
“Generally speaking, security resources are typically allocated based on risk assessment and prioritisation – when there is less value placed on the asset, it may get comparatively less security attention,” he said.
“To further illustrate the point, we saw some cases where legacy and development systems were compromised, but the same organisation’s production servers were not – even when they were in the same network range,” he added.
SEA attacks
Terracotta was used to launch approximately a dozen cyber-exploitation campaigns, according to RSA.
“I’d like to point out that a campaign might consist of many different activities over an extended period of time,” said Backman, adding that this might include taking control of a backdoor into a network, masquerading as the corporate network, phishing attacks, and others.
Worryingly, Terracotta server nodes were also discovered in South-East Asia.
“In 2015, Terracotta nodes were identified in Indonesia, Malaysia, Philippines, Singapore, Thailand and Vietnam,” said Backman.
“Several server nodes in these countries were later confirmed as having been compromised,” he added.
Even more worryingly, some organisations seemed apathetic to the fact that their servers had been compromised.
“To me, it’s just common sense that providing transit services for unknown traffic can’t be good,” said Backman. “But some organisations we contacted did not seem to care.”
This is despite the fact that being used as a server node in this manner has financial and network consequences.
“VPN connections are notorious bandwidth hogs because a downloading a file through a VPN client represents double the traffic (upstream and downstream) from the perspective of the VPN server,” said Backman.
“One compromised organisation we worked with used on-premises Windows servers for online academic courses – it had five servers that were compromised and used to serve Terracotta VPN connections to residents in China.
“This organisation was in the process of upgrading its Internet connection, mainly due to the additional 100,000 clients per month it had that it was unaware of.
“Once we helped [the organisation] remediate, it didn’t need the upgrade,” he added.
Next Page: The weak spots and tips on how to prevent such server compromises